LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-15-2008, 10:35 AM   #1
max_2000i
LQ Newbie
 
Registered: Sep 2007
Posts: 6

Rep: Reputation: 0
Transparent Squid + WCCP + Cisco


Hi everybody!!!

I stuck in a situation that need to implement Squid cache in transparent mode with WCCP enabled on Cisco Router as Below :

Cache Server : 192.168.64.120/24
Router with NAT configured : 192.168.64.1
LAN Clients : 192.168.64.1/24

here is my squid config in squid.conf:

http_port 127.0.0.1:3128 transparent
http_port 192.168.64.120:3128 transparent

hierarchy_stoplist cgi-bin ?
hierarchy_stoplist scripts
hierarchy_stoplist php
hierarchy_stoplist asp
hierarchy_stoplist jsp
acl QUERY urlpath_regex cgi-bin \? asp php jsp scripts
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 512 MB

maximum_object_size 100 MB

cache_dir ufs /var/cache/squid 20000 34 256

access_log /var/log/squid/access.log squid

refresh_pattern -i \.(htm|html|phtml|shtml)$ 43200 90% 129600
refresh_pattern -i \.(bmp|gif|jpeg|jpg)$ 43200 90% 129600
refresh_pattern -i \.(mov|wav|mp3|avi|ram)$ 43200 90% 129600
refresh_pattern -i \.(ps|midi|au|ra|rm)$ 43200 90% 129600
refresh_pattern -i \.(tar|zip|gz|js)$ 43200 90% 129600
refresh_pattern -i \.(doc|pdf|txt)$ 43200 90% 129600


acl all src 0.0.0.0/0.0.0.0
acl class1 src 10.0.0.0/255.0.0.0
acl class2 src 172.16.0.0/255.255.0.0
acl class3 src 80.75.2.0/255.255.255.0
acl class4 src 85.15.61.0/255.255.255.0
acl class5 src 192.168.0.0/255.255.0.0
acl PURGE method purge
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl public_snmp snmp_community public
acl worm1 urlpath_regex -i /readme.eml /sample.exe /whatever.exe /153.lzh /JDBGMGR.EXE
acl worm2 url_regex -i banners.interfree.it 213.158.72.68
acl CodeRed urlpath_regex \/default\.ida\?
acl msie6 browser MSIE[[:space:]]6
acl msn-hotmail dstdomain .hotmail.msn.com

header_access Accept-Encoding deny msie6 msn-hotmail
http_access deny worm1
http_access deny worm2
http_access deny CodeRed
http_access allow manager localhost
http_access allow purge localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow SSL_ports
http_access allow localhost
http_access allow class1
http_access allow class2
http_access allow class3
http_access allow class4
http_access allow class5
http_access deny purge
http_access deny all

http_reply_access allow all
icp_access allow all

snmp_access allow public_snmp localhost
snmp_access deny all

visible_hostname Metro-Cache

cache_effective_user squid
cache_effective_group squid

buffered_logs on


coredump_dir /var/cache


wccp2_router 192.168.64.1

debug_options ALL,1 80,5
=======================================================
IPTABLES Configurations :

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wccp0 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 192.168.64.120:3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i wccp0 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i wccp0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


**by the way ,I configured with redirect too!!!

===============================================================

and Cisco 2600 Config :

Current configuration : 1929 bytes
!
! Last configuration change at 16:55:38 irst Sat Nov 15 2008 by admin
! NVRAM config last updated at 16:55:54 irst Sat Nov 15 2008 by admin
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname behTest
!
aaa new-model
aaa authentication login default local
aaa authentication login test group radius enable
enable secret 5 $1$xsdfgdsgf2Ow$3ikxxQ8/zgfgfghRornYTtXfO2V0
enable password 7 130019022B5sdsdfwettwet951
!
username admin password 7 030752180sdfwsgaewtgerynl5;;0'0
clock timezone irst 3 30
ip subnet-zero
ip wccp web-cache
ip flow-cache timeout active 1
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.64.1 255.255.255.128
ip helper-address 192.168.64.3
ip nat inside
ip route-cache flow
half-duplex
traffic-shape group 101 16000 1000 1000 1000
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
ip address 85.15.61.170 255.255.255.248
ip nat outside
ip route-cache flow
ip wccp web-cache redirect out
half-duplex
!
interface Ethernet1/0
ip address 172.16.0.1 255.255.255.248
half-duplex
!
ip nat inside source list 20 interface Ethernet0/1 overload
ip nat inside source static 192.168.64.3 85.15.61.172
ip nat inside source static 172.16.0.2 85.15.61.171
ip flow-export source Ethernet0/0
ip flow-export version 5
ip flow-export destination 192.168.64.3 9996
ip classless
ip route 0.0.0.0 0.0.0.0 85.15.61.169
ip http server
ip pim bidir-enable
!
logging trap debugging
logging source-interface Ethernet0/0
logging 192.168.64.26
access-list 20 permit 192.168.64.0 0.0.0.127
access-list 20 permit 172.16.0.0 0.0.255.255
access-list 101 permit ip host 192.168.64.34 any
!
line con 0
line aux 0
line vty 0 4
logging synchronous
!
ntp clock-period 17180003
ntp server 132.163.4.103
end

**also configured in both version of wccp.
======================================

Also as there is in iptables ,I 've created gre tunnel (wccp0), and add gre as blow :

ip tunnel add wccp0 mode gre remote 192.168.64.1 local 192.168.64.120 dev eth0
ip addr add 192.168.64.120/32 dev wccp0
ip link set wccp0 up

======================================

also load ip_gre module

=====================

everything is looking good but ,,,there is nothing in tail -f access.log ,also when I use ifconfig , there is no traffic on gre !!!

by the way when I use tcpdump i can see this error evry 2-3 second :
802.1d unkown version

=================

Please help ASAP....many thanks friends....

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My linux box is not communicating with my cisco router through wccp. smarwa Linux - Networking 11 04-15-2008 09:18 AM
How does squid with wccp redirection work? dablew Linux - Server 1 10-24-2007 10:37 AM
WCCP and Transparent Proxy with Squid tech-ninja Linux - Networking 4 03-29-2005 11:25 AM
Help using freebsd 5.0 + squid + wccp + cisco ios nazzymac *BSD 1 07-27-2004 04:11 PM
WCCP on Squid vwhk Linux - General 3 01-28-2002 03:39 PM


All times are GMT -5. The time now is 12:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration